summaryrefslogtreecommitdiff
path: root/libcli
diff options
context:
space:
mode:
authorNadezhda Ivanova <nivanova@symas.com>2013-10-15 02:06:38 +0300
committerAndrew Bartlett <abartlet@samba.org>2013-10-25 09:45:57 +1300
commitdaefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea (patch)
tree85c9087d550b656abf6f2b075baa9234784ac380 /libcli
parent2d51424569a9fbb60215957bf5c17a1f0a9bb9ca (diff)
downloadsamba-daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea.tar.gz
samba-daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea.tar.bz2
samba-daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea.zip
s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds
Restore and backup privileges are not relevant to ldap access checks, and the TakeOwnership privilege should grant write_owner right Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r--libcli/security/access_check.c12
1 files changed, 4 insertions, 8 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 2425e8a5aa..2be5928934 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -436,14 +436,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
}
- /* TODO: remove this, as it is file server specific */
- if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
- security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
- }
- if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
- security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+ /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
+ if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
+ security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+ bits_remaining &= ~(SEC_STD_WRITE_OWNER);
}
/* a NULL dacl allows access */
generated by cgit (git 2.34.1) at 2024-11-21 18:36:40 +0000